- Employment, social security and social protection
For processing necessary to perform or exercise obligations or rights of the controller or of the data subject under employment, social security or social protection law, the Data Protection Act 2018 introduces a requirement on the controller to put into place an ""appropriate policy document""
(Paragraph 1 of Schedule 1 to the Data Protection Act 2018).
An appropriate policy document must:
- explain the controller's procedures for complying with the data protection principles laid out in Article 5 of the GDPR;
- explain the controller's policies as regards the retention and erasure of personal data, including providing an indication of how long the personal data are likely to be retained; and
- be retained for as long as the processing takes place (and then for six months when the relevant processing ceases), review it from time to time (if appropriate), and make the policy document available to the ICO without charge (if requested).
The controller must additionally ensure that its records of processing activities (under Article 30 of the GDPR):
- includes details on the controller's processing of personal data in the context of employment, social security and social protection;
- describes how the processing satisfies Article 6 of the GDPR (lawfulness of processing); and
- includes details on whether the personal data are retained and erased in accordance with the controller's policies.
(Paragraphs 38 – 41 of Schedule 1 to the Data Protection Act 2018)
The Data Protection Act 2018 restricts certain data subject rights, including subject access, with regard to employment references. For more information see 'Any other areas under discussion'.
(Paragraph 24 of Schedule 2 to the Data Protection Act 2018)
Enforced subject access
The Data Protection Act 2018 maintains the offence for requiring an individual to exercise their subject access rights to obtain a relevant record (largely relating to health, convictions and cautions, and statutory functions) as part of the recruitment or continued employment of that individual. For more information see 'Any other areas under discussion'.
(Section 177 of the Data Protection Act 2018)
Equal opportunity and treatment
The Data Protection Act 2018 allows employers, with certain restrictions, to consider ""specified"" categories of personal data (personal data revealing racial or ethnic origin, and religious or philosophical beliefs or personal data concerning health or an individual's sexual orientation) as part of equality of opportunity or treatment. Employers may also process data regarding racial and ethnic origin to promote and maintain diversity at senior levels of the organisation. For more information see 'Special rules for special categories of data'.
(Paragraphs 8 and 9 of Schedule 1 to the Data Protection Act 2018)